Achieving Greatness by Daring to Risk Mohamed Ridza Wahiddin, PhD, DSc Deputy Rector (Research & Innovation)/CIO 3 September 2014 © 2014 IIUM. All Rights Reserved.
Achieving Greatness by Daring to Risk
Mohamed Ridza Wahiddin, PhD, DSc
Deputy Rector (Research & Innovation)/CIO
3 September 2014
© 2014 IIUM. All Rights Reserved.
© 2014 IIUM. All Rights Reserved.
Context of Discussion…Presentation Outline
© 2014 IIUM. All Rights Reserved.
© 2014 IIUM. All Rights Reserved.
Creativity
•Connecting the dots … making
connections where none existed before
•Christopher Sholes made a connection
between piano keys and a writing
machine to invent the TYPEWRITER
© 2014 IIUM. All Rights Reserved.
Innovation
•Taking Creativity to the NEXT LEVEL
© 2014 IIUM. All Rights Reserved.
Innovation (Tom Gorman)
• INNOVATION is the act of developing a new
product, service or process based upon a
new idea.
• To innovate means to come up with some
new thing, not just a new idea.
• INNOVATION = Problem Solving
• INNOVATION is the engine of the world’s
economy because there is no end to the
problems in this world, and there never will
be.
• INNOVATOR is anyone with a solution to a
problem
© 2014 IIUM. All Rights Reserved.
Lifestyle Marketing and Ralph Lauren
© 2014 IIUM. All Rights Reserved.
Lifestyle Marketing and Ralph Lauren
© 2014 IIUM. All Rights Reserved.
• What problem did Ralph Lauren solve?
• The problem of how to sell more high-
quality merchandise at higher prices to
a larger market.
© 2014 IIUM. All Rights Reserved.
© 2014 IIUM. All Rights Reserved.
Take-home Message• The role of risk manager should be to help build a culture that
encourages all employees to take risks—prudent risks, of
course. That builds resilience into a company without stifling
progress. With shared responsibility for assessing what could
put an organization at peril comes a sense of motivation,
ownership, and self-reliance—as well as improved decision-
making—throughout all levels of the company
• The risk manager needs to shift employees’ attitudes about
risk from one of fear and silence toward one of collaboration
and teamwork. This mind-set change can be summed up as
moving from preventing people from doing things (“don’t do”)
to giving them a road map that allows them to do things freely,
but within a common set of guidelines (“this is how you
navigate”)
© 2014 IIUM. All Rights Reserved.
© 2014 IIUM. All Rights Reserved.
Take-home Message1. Many companies have established “stage gates”,
essentially a funnelling process designed to reduce
uncertainty as exposure to risk grows. In many cases,
however, the stage gating process is too focused on re-
enforcing what the company does well today and the
funnels end up producing only weak, incremental ideas that
come to market slowly and lack emphasis on new areas for
expansion
2. Ironically, another common impediment to innovation is an
existing corporate culture that overly celebrates and
rewards success. In these cultures, it is rare to find
someone who has been able to rise in the ranks with a
failed experiment on his or her resume, even if the failure
provided valuable insights about future opportunities
© 2014 IIUM. All Rights Reserved.
Take-home Message3. Venture capital firms – typically designed to manage risk
and encourage innovation – can provide some important
lessons for large organizations seeking to advance the
cause of innovation. These firms typically create a portfolio
of investments and engage with the management team
through the development process regarding new insights
and unanticipated opportunities resulting from new
learnings in the process. These firms also know in advance
that most experiments will fail
© 2014 IIUM. All Rights Reserved.
© 2014 IIUM. All Rights Reserved.
Take-home Message• Call it “getting the A out of Angel”—that is, figuring out how
to survive the leap from the initial angel round of private
investments to the Series A investment round underwritten
by venture capital firms. This leap has become the new
deal breaker—and because of that, the new obsession—for
new technology start-up firms in the Valley (and everywhere
else)
• Here’s how the system used to work: You have an idea, or
license to commercialize a technology, and you form a team
to build a company to bring that product to market. You put
together a business plan; then you go out and pitch that
idea to family, friends and business contacts in hopes of
raising enough money from these angel investors to get
underway and, with luck, build a demonstration product or
prototype that will appeal to professional investors.
© 2014 IIUM. All Rights Reserved.
Take-home Message
• Typically, the goal is to reach $250-500K in this angel
round. In our software app/social networking era, that’s
usually enough to develop a strategic vision, identify
potential customers and strategic partners, rent office
space, hire a CEO and a CTO, line up a code-writing team
in Buenos Aires or Bangalore to do the coding and contract
a graphic designer to prepare the screen shots. By the end
of process, your burn rate is $30-50K per month—so you’ve
got about six months to ready yourself for the next phase
© 2014 IIUM. All Rights Reserved.
Take-home Message
• In the traditional start-up model, this was usually enough.
Phase II, which typically costs between a half-million and a
million dollars, gets you to a working demonstration, even a
full prototype, of your product. This money usually comes
from so-called early stage venture capitalists who have
assembled funds specifically to pursue investments in the
high-risk/high-return game of putting money into start-ups
that are still young and largely unproven. A lot of VCs—and
their investors—got very, very rich making these seed round
investments
© 2014 IIUM. All Rights Reserved.
Take-home Message
• That was then. All of that changed in the first years of this
century. That’s when the dot.com bubble popped—and
billions of dollars evaporated overnight. That crash killed a
number of second and third-tier venture capital firms; but
even those that survived found themselves with a lot of
unhappy investors—and busted funds hanging around their
necks like albatrosses for years to come.
© 2014 IIUM. All Rights Reserved.
Take-home Message
• Investors have learned just enough of a lesson from the
dotcom bust to believe two things:
1. High risk ventures are too risky. Sure, Benchmark made
billions on eBay, and Sequoia did the same on Google.
But when the e-commerce industry collapsed for every
winner like those two, thousands of other start-ups—all
looking just as good on paper—died. As a result, today’s
fund investors, if they don’t demand a sure thing, expect
something pretty close to it. That means where they used
to demand a business plan and a founder team, they now
require a demonstration product, a veteran executive
team, and even an installed base of users/customers.
© 2014 IIUM. All Rights Reserved.
Take-home Message2. All VCs aren’t the same. Hard as it is now to believe, up
until the bust the common view, especially among naïve
entrepreneurs, was that all venture capitalists were pretty
much the same. If they had ready money—and most of
them did, even if it was a bit sketchy—they were good to
go. Big investors don’t believe that anymore. That has
led to the shakeout of a number of VCs firms, both
veteran and fly-by-night, over the last decade. But even
more stunning is the fact that some of the most legendary
and admired VC firms in the Valley have failed, largely
because of misguided recent investments (Kleiner-
Perkins’ obsession with green technology) to capture this
big investment money and have tumbled to second-tier
status.
© 2014 IIUM. All Rights Reserved.
Take-home Message3. There are no IPOs. More precisely: not enough. The
traditional venture capital model was based on a
liquidation event—the initial public offering of stock—that
regularly offered a stunning payback on the original
investment just a half-dozen years later. Not every VC-
backed start-up went public, of course, but enough (10 to
20 percent) did, and produced enough reward, to make
the whole system both viable and appealing. But that,
too, ended with the bursting of the dotcom bubble and the
crash of 2001. Congress, intent on punishing what it saw
as a giant and corrupt Ponzi scheme (and insufficient
tribute money from the high-tech sector) instituted a
series of laws and regulations—Sarbanes-Oxley, changes
in stock option accounting, rules on director
accountability—that essentially plugged the IPO pipeline.
© 2014 IIUM. All Rights Reserved.
© 2014 IIUM. All Rights Reserved.
1. The first is the incredible pace of technological change. CIOs
need to place bets—like VCs do—that a given product or
service is going to hit the market at the right time and fill a
niche that others don’t. It’s often no longer acceptable to use
one vendor for all your technology needs
2. Second, given all the information now accessible to everyone,
it’s hard to gain a competitive advantage. VCs try to create a
competitive advantage by investing in companies to make a
profit— and CIOs try to create a competitive advantage by
investing in services and capabilities to reap the benefits
before competitors can
3. And third, to avoid trailing your competitors, CIOs need to take
risks. VCs take balanced risks, conducting market research,
and being thoughtful about selection and the company’s fit with
the team.
Charles Weston, SVP and chief information officer (retired),
Bloomin’ Brands Take on CIO as Venture Capitalist
© 2014 IIUM. All Rights Reserved.
© 2014 IIUM. All Rights Reserved.
Operational Risks•The Bank has a dedicated security function and the IT security
framework (that is currently being updated) provides an
integrated, organisation-wide program for managing information
security risks. Extensive control measures are in place, including
technology-based mitigations and non-technical mitigations
revolving around IT security policies, training, and incident
management procedures.
•Systematic external and internal security monitoring and testing
arrangements are in place. They reveal extraordinary numbers of
potential threats. Suspicious events triggering alerts number
around 500 million per month.
•Operational risks, be they security, business continuity or service
delivery, are most effectively managed through a risk management
approach that is integrated into the business and culture of the
organisation.
© 2014 IIUM. All Rights Reserved.
© 2014 IIUM. All Rights Reserved.
Take-home Message
• Ken Grady, CIO of New England Biolabs, is going through a
data valuation exercise to figure out how much and what
kind of insurance to buy for the company's information
assets. But not everything is worth protecting. For example,
PowerPoint presentations from routine meetings, videos
from a training seminar and chemical safety sheets are
everywhere and easily reproduced, he says. Sorting the
mundane from the valuable "requires us to really
understand and assess which types of data have a financial
value if compromised and which don't."
© 2014 IIUM. All Rights Reserved.
Insurance companies offer cybersecurity
policies to reimburse expenses related to breaches and theft,
but the value of the data isn't the central issue, says Reynold
Siemens, an attorney at the law firm Pillsbury Winthrop Shaw
Pittman. He represents policyholders trying to extract payments
from insurers.
•Rather than value the data at the centre of the situation, the two
sides quantify the costs of the incident, such as customer
notifications, technology to stop or prevent a future breach, fines
and judgments, he says.
•Policies and premiums are determined based on assessments
like these, for which the two sides can estimate a dollar value. But
the data itself isn't insured, Siemens says, though it is possible to
buy insurance to cover the cost of reconstructing or repairing
damaged data
© 2014 IIUM. All Rights Reserved.
© 2014 IIUM. All Rights Reserved.
“Evidence-based knowledge, including context, mechanisms,
indicators, implications and
actionable advice about an existing or emerging menace or
hazard to assets that can be used to
inform decisions regarding the subject’s response to that
menace or hazard.” - GARTNER on Threat Intelligence -
Concluding Remarks
© 2014 IIUM. All Rights Reserved.
• CIOs need to think like a venture capitalist
• CIOs need to know the value of the ‘I’ in their title
• CISO Recommendation:“Use a commercial threat
intelligence service to
develop informed tactics
for current threats, and
plan for threats that may
exist in the midterm future.”
Rob McMillan & Kelly Kavanagh
Technology Overview for Security Threat Intelligence Service Providers
© 2014 IIUM. All Rights Reserved.